Plattform
nodejs
Komponente
webpack
Behoben in
5.49.1
5.104.0
CVE-2025-68157 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in webpack 5. This flaw arises when the experiments.buildHttp feature is enabled, allowing bypass of URI allow-lists through HTTP 30x redirects. Exploitation can lead to build-time SSRF attacks, potentially exposing internal endpoints, and the inclusion of untrusted content within build outputs. The vulnerability affects versions of webpack prior to 5.104.0 and a fix is available.
The SSRF vulnerability in webpack allows an attacker to craft import statements that initially appear to be restricted to a trusted allow-list. However, due to the lack of re-validation of allowedUris after HTTP 30x redirects, the webpack build process can be tricked into fetching resources from arbitrary HTTP(S) URLs outside of the intended allow-list. This can have significant consequences. An attacker could potentially access internal-only endpoints that are not directly exposed to the internet, depending on the build machine's network configuration. Furthermore, the fetched content can be included in the final build output, potentially introducing malicious code or sensitive data into the application. This is particularly concerning in environments where webpack is used to generate production-ready bundles.
CVE-2025-68157 has a CVSS score of 3.7 (LOW). No public Proof-of-Concept (POC) exploits have been publicly disclosed at the time of writing. The vulnerability was published on 2026-02-05. Its impact is primarily limited to the build environment, and exploitation requires control over the webpack configuration or the ability to inject malicious import statements. The EPSS score is pending evaluation.
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68157 is to upgrade to webpack version 5.104.0 or later, which includes a fix for the URI re-validation issue. If upgrading is not immediately feasible, consider disabling the experiments.buildHttp feature entirely, as this eliminates the attack surface. As a temporary workaround, carefully review and restrict the allowedUris configuration, ensuring that it is as specific as possible and includes no overly broad patterns. Implement strict network segmentation to limit the build machine's access to internal resources. Consider using a Web Application Firewall (WAF) or proxy to filter outbound HTTP(S) requests from the build process, although this is not a substitute for patching the vulnerability.
Aktualisieren Sie webpack auf Version 5.104.0 oder höher. Dies behebt die Schwachstelle der Allow-List-Umgehung beim Folgen von HTTP-Weiterleitungen. Das Update verhindert mögliche SSRF-Angriffe und die Einschließung von nicht vertrauenswürdigem Inhalt in Build-Ausgaben.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68157 is a Server-Side Request Forgery (SSRF) vulnerability in webpack 5 that allows attackers to bypass URI allow-lists through HTTP 30x redirects, potentially leading to build-time SSRF and untrusted content inclusion.
You are affected if you are using webpack 5 prior to version 5.104.0 and have the experiments.buildHttp feature enabled. Check your webpack version and configuration to determine your risk.
Upgrade to webpack version 5.104.0 or later. If upgrading is not possible, disable the experiments.buildHttp feature or carefully restrict the allowedUris configuration.
No public Proof-of-Concept (POC) exploits have been publicly disclosed at this time, but the vulnerability's potential impact warrants proactive mitigation.
Refer to the webpack security advisories and release notes on the official webpack website: [https://webpack.js.org/security/](https://webpack.js.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.